Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MISP API output bot significant_fields does work correctly for multiple fields #2578

Open
karsa-mistmere opened this issue Mar 5, 2025 · 1 comment
Open

MISP API output bot significant_fields does work correctly for multiple fields #2578

karsa-mistmere opened this issue Mar 5, 2025 · 1 comment
Labels
component: bots

Comments

@karsa-mistmere
Copy link

karsa-mistmere commented Mar 5, 2025
edited
Loading

When multiple fields are listed in the MISPAPIOutputBot's significant_fields setting, the bot uses PyMISP’s build_complex_query to construct a query (e.g., {'AND': ['12.123.21.21', 'foobar.com']}) and passes it to the value argument of PyMISP.search().

However, value does not support complex queries.

Expected behaviour

The bot should correctly filter MISP events based on multiple significant fields.

Actual behaviour

Since value does not interpret complex queries, the filter is ignored, causing the bot to return all events. This leads to incorrect duplicate event detection.

Supporting Evidence

According to PyMISP's official documentation, build_complex_query can be used with tags and event_tags, but not value. Testing confirms that complex queries are not processed as expected.

TL;DR

The MISPAPIOutputBot's significant_fields setting only works correctly with a single field or when multiple fields never appear together in the same event.

Updates

Edit: seems like, while the feature itself is undocumented, this might be an error on MISP's side. The complex value is actually parsed in Event::set_filter_value, but results in an entirely erroneous condition, see MISP/MISP#10250
@sebix
Copy link
Member

sebix commented Mar 5, 2025

The MISP API output bot was written and contributed by @bernhardreiter , can you help here?

@karsa-mistmere karsa-mistmere changed the title MISP API output bot significant_fields does not seem to work at all MISP API output bot significant_fields does work correctly for multiple fields Mar 5, 2025
@karsa-mistmere karsa-mistmere mentioned this issue Mar 5, 2025
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component: bots
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sebix @karsa-mistmere